---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: certificates.certmanager.k8s.io
  annotations:
    "helm.sh/hook": crd-install
    "api-approved.kubernetes.io": "unapproved-will-be-remove-with-cert-manager-update"
  labels:
    app: cert-manager
    chart: cert-manager-v0.5.2
    release: cert-manager
    heritage: Tiller
spec:
  group: certmanager.k8s.io
  scope: Namespaced
  versions:
  - name: v1alpha1
    served: true
    storage: true
    schema:
      openAPIV3Schema:
        description: Certificate is a type to represent a Certificate from ACME
        type: object
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: CertificateSpec defines the desired state of Certificate.
              A valid Certificate requires at least one of a CommonName, DNSName,
              or URISAN to be valid.
            type: object
            required:
            - issuerRef
            - secretName
            properties:
              commonName:
                description: 'CommonName is a common name to be used on the Certificate.
                  The CommonName should have a length of 64 characters or fewer to
                  avoid generating invalid CSRs. This value is ignored by TLS clients
                  when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
                type: string
              dnsNames:
                description: DNSNames is a list of subject alt names to be used on
                  the Certificate.
                type: array
                items:
                  type: string
              duration:
                description: Certificate default Duration
                type: string
              emailSANs:
                description: EmailSANs is a list of Email Subject Alternative Names
                  to be set on this Certificate.
                type: array
                items:
                  type: string
              ipAddresses:
                description: IPAddresses is a list of IP addresses to be used on the
                  Certificate
                type: array
                items:
                  type: string
              isCA:
                description: IsCA will mark this Certificate as valid for signing.
                  This implies that the 'cert sign' usage is set
                type: boolean
              issuerRef:
                description: IssuerRef is a reference to the issuer for this certificate.
                  If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
                  with the given name in the same namespace as the Certificate will
                  be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
                  with the provided name will be used. The 'name' field in this stanza
                  is required at all times.
                type: object
                required:
                - name
                properties:
                  group:
                    type: string
                  kind:
                    type: string
                  name:
                    type: string
              keyAlgorithm:
                description: KeyAlgorithm is the private key algorithm of the corresponding
                  private key for this certificate. If provided, allowed values are
                  either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize
                  is not provided, key size of 256 will be used for "ecdsa" key algorithm
                  and key size of 2048 will be used for "rsa" key algorithm.
                type: string
                enum:
                - rsa
                - ecdsa
              keyEncoding:
                description: KeyEncoding is the private key cryptography standards
                  (PKCS) for this certificate's private key to be encoded in. If provided,
                  allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,
                  respectively. If KeyEncoding is not specified, then PKCS#1 will
                  be used by default.
                type: string
                enum:
                - pkcs1
                - pkcs8
              keySize:
                description: KeySize is the key bit size of the corresponding private
                  key for this certificate. If provided, value must be between 2048
                  and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa",
                  and value must be one of (256, 384, 521) when KeyAlgorithm is set
                  to "ecdsa".
                type: integer
                maximum: 8192
                minimum: 0
              keystores:
                description: Keystores configures additional keystore output formats
                  stored in the `secretName` Secret resource.
                type: object
                properties:
                  jks:
                    description: JKS configures options for storing a JKS keystore
                      in the `spec.secretName` Secret resource.
                    type: object
                    required:
                    - create
                    - passwordSecretRef
                    properties:
                      create:
                        description: Create enables JKS keystore creation for the
                          Certificate. If true, a file named `keystore.jks` will be
                          created in the target Secret resource, encrypted using the
                          password stored in `passwordSecretRef`. The keystore file
                          will only be updated upon re-issuance.
                        type: boolean
                      passwordSecretRef:
                        description: PasswordSecretRef is a reference to a key in
                          a Secret resource containing the password used to encrypt
                          the JKS keystore.
                        type: object
                        required:
                        - name
                        properties:
                          key:
                            description: The key of the secret to select from. Must
                              be a valid secret key.
                            type: string
                          name:
                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                              TODO: Add other useful fields. apiVersion, kind, uid?'
                            type: string
                  pkcs12:
                    description: PKCS12 configures options for storing a PKCS12 keystore
                      in the `spec.secretName` Secret resource.
                    type: object
                    required:
                    - create
                    - passwordSecretRef
                    properties:
                      create:
                        description: Create enables PKCS12 keystore creation for the
                          Certificate. If true, a file named `keystore.p12` will be
                          created in the target Secret resource, encrypted using the
                          password stored in `passwordSecretRef`. The keystore file
                          will only be updated upon re-issuance.
                        type: boolean
                      passwordSecretRef:
                        description: PasswordSecretRef is a reference to a key in
                          a Secret resource containing the password used to encrypt
                          the PKCS12 keystore.
                        type: object
                        required:
                        - name
                        properties:
                          key:
                            description: The key of the secret to select from. Must
                              be a valid secret key.
                            type: string
                          name:
                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                              TODO: Add other useful fields. apiVersion, kind, uid?'
                            type: string
              organization:
                description: Organization is the organization to be used on the Certificate
                type: array
                items:
                  type: string
              privateKey:
                description: Options to control private keys used for the Certificate.
                type: object
                properties:
                  rotationPolicy:
                    description: RotationPolicy controls how private keys should be
                      regenerated when a re-issuance is being processed. If set to
                      Never, a private key will only be generated if one does not
                      already exist in the target `spec.secretName`. If one does exists
                      but it does not have the correct algorithm or size, a warning
                      will be raised to await user intervention. If set to Always,
                      a private key matching the specified requirements will be generated
                      whenever a re-issuance occurs. Default is 'Never' for backward
                      compatibility.
                    type: string
              renewBefore:
                description: Certificate renew before expiration duration
                type: string
              secretName:
                description: SecretName is the name of the secret resource to store
                  this secret in
                type: string
              subject:
                description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
                type: object
                properties:
                  countries:
                    description: Countries to be used on the Certificate.
                    type: array
                    items:
                      type: string
                  localities:
                    description: Cities to be used on the Certificate.
                    type: array
                    items:
                      type: string
                  organizationalUnits:
                    description: Organizational Units to be used on the Certificate.
                    type: array
                    items:
                      type: string
                  postalCodes:
                    description: Postal codes to be used on the Certificate.
                    type: array
                    items:
                      type: string
                  provinces:
                    description: State/Provinces to be used on the Certificate.
                    type: array
                    items:
                      type: string
                  serialNumber:
                    description: Serial number to be used on the Certificate.
                    type: string
                  streetAddresses:
                    description: Street addresses to be used on the Certificate.
                    type: array
                    items:
                      type: string
              uriSANs:
                description: URISANs is a list of URI Subject Alternative Names to
                  be set on this Certificate.
                type: array
                items:
                  type: string
              usages:
                description: Usages is the set of x509 actions that are enabled for
                  a given key. Defaults are ('digital signature', 'key encipherment')
                  if empty
                type: array
                items:
                  description: 'KeyUsage specifies valid usage contexts for keys.
                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
                    Valid KeyUsage values are as follows: "signing", "digital signature",
                    "content commitment", "key encipherment", "key agreement", "data
                    encipherment", "cert sign", "crl sign", "encipher only", "decipher
                    only", "any", "server auth", "client auth", "code signing", "email
                    protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
                    user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
                    sgc"'
                  type: string
                  enum:
                  - signing
                  - digital signature
                  - content commitment
                  - key encipherment
                  - key agreement
                  - data encipherment
                  - cert sign
                  - crl sign
                  - encipher only
                  - decipher only
                  - any
                  - server auth
                  - client auth
                  - code signing
                  - email protection
                  - s/mime
                  - ipsec end system
                  - ipsec tunnel
                  - ipsec user
                  - timestamping
                  - ocsp signing
                  - microsoft sgc
                  - netscape sgc
          status:
            description: CertificateStatus defines the observed state of Certificate
            type: object
            properties:
              conditions:
                type: array
                items:
                  description: CertificateCondition contains condition information
                    for an Certificate.
                  type: object
                  required:
                  - status
                  - type
                  properties:
                    lastTransitionTime:
                      description: LastTransitionTime is the timestamp corresponding
                        to the last status change of this condition.
                      type: string
                      format: date-time
                    message:
                      description: Message is a human readable description of the
                        details of the last transition, complementing reason.
                      type: string
                    reason:
                      description: Reason is a brief machine readable explanation
                        for the condition's last transition.
                      type: string
                    status:
                      description: Status of the condition, one of ('True', 'False',
                        'Unknown').
                      type: string
                      enum:
                      - "True"
                      - "False"
                      - Unknown
                    type:
                      description: Type of the condition, currently ('Ready').
                      type: string
              lastFailureTime:
                type: string
                format: date-time
              nextPrivateKeySecretName:
                description: The name of the Secret resource containing the private
                  key to be used for the next certificate iteration. The keymanager
                  controller will automatically set this field if the `Issuing` condition
                  is set to `True`. It will automatically unset this field when the
                  Issuing condition is not set or False.
                type: string
              notAfter:
                description: The expiration time of the certificate stored in the
                  secret named by this resource in spec.secretName.
                type: string
                format: date-time
              revision:
                description: "The current 'revision' of the certificate as issued.
                  \n When a CertificateRequest resource is created, it will have the
                  `cert-manager.io/certificate-revision` set to one greater than the
                  current value of this field. \n Upon issuance, this field will be
                  set to the value of the annotation on the CertificateRequest resource
                  used to issue the certificate. \n Persisting the value on the CertificateRequest
                  resource allows the certificates controller to know whether a request
                  is part of an old issuance or if it is part of the ongoing revision's
                  issuance by checking if the revision value in the annotation is
                  greater than this field."
                type: integer
  - name: v1alpha3
    served: true
    storage: false
    "schema":
      "openAPIV3Schema":
        description: Certificate is a type to represent a Certificate from ACME
        type: object
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: CertificateSpec defines the desired state of Certificate.
              A valid Certificate requires at least one of a CommonName, DNSName,
              or URISAN to be valid.
            type: object
            required:
            - issuerRef
            - secretName
            properties:
              commonName:
                description: 'CommonName is a common name to be used on the Certificate.
                  The CommonName should have a length of 64 characters or fewer to
                  avoid generating invalid CSRs. This value is ignored by TLS clients
                  when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
                type: string
              dnsNames:
                description: DNSNames is a list of subject alt names to be used on
                  the Certificate.
                type: array
                items:
                  type: string
              duration:
                description: Certificate default Duration
                type: string
              emailSANs:
                description: EmailSANs is a list of Email Subject Alternative Names
                  to be set on this Certificate.
                type: array
                items:
                  type: string
              ipAddresses:
                description: IPAddresses is a list of IP addresses to be used on the
                  Certificate
                type: array
                items:
                  type: string
              isCA:
                description: IsCA will mark this Certificate as valid for signing.
                  This implies that the 'cert sign' usage is set
                type: boolean
              issuerRef:
                description: IssuerRef is a reference to the issuer for this certificate.
                  If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
                  with the given name in the same namespace as the Certificate will
                  be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
                  with the provided name will be used. The 'name' field in this stanza
                  is required at all times.
                type: object
                required:
                - name
                properties:
                  group:
                    type: string
                  kind:
                    type: string
                  name:
                    type: string
              keyAlgorithm:
                description: KeyAlgorithm is the private key algorithm of the corresponding
                  private key for this certificate. If provided, allowed values are
                  either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize
                  is not provided, key size of 256 will be used for "ecdsa" key algorithm
                  and key size of 2048 will be used for "rsa" key algorithm.
                type: string
                enum:
                - rsa
                - ecdsa
              keyEncoding:
                description: KeyEncoding is the private key cryptography standards
                  (PKCS) for this certificate's private key to be encoded in. If provided,
                  allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,
                  respectively. If KeyEncoding is not specified, then PKCS#1 will
                  be used by default.
                type: string
                enum:
                - pkcs1
                - pkcs8
              keySize:
                description: KeySize is the key bit size of the corresponding private
                  key for this certificate. If provided, value must be between 2048
                  and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa",
                  and value must be one of (256, 384, 521) when KeyAlgorithm is set
                  to "ecdsa".
                type: integer
                maximum: 8192
                minimum: 0
              keystores:
                description: Keystores configures additional keystore output formats
                  stored in the `secretName` Secret resource.
                type: object
                properties:
                  jks:
                    description: JKS configures options for storing a JKS keystore
                      in the `spec.secretName` Secret resource.
                    type: object
                    required:
                    - create
                    - passwordSecretRef
                    properties:
                      create:
                        description: Create enables JKS keystore creation for the
                          Certificate. If true, a file named `keystore.jks` will be
                          created in the target Secret resource, encrypted using the
                          password stored in `passwordSecretRef`. The keystore file
                          will only be updated upon re-issuance.
                        type: boolean
                      passwordSecretRef:
                        description: PasswordSecretRef is a reference to a key in
                          a Secret resource containing the password used to encrypt
                          the JKS keystore.
                        type: object
                        required:
                        - name
                        properties:
                          key:
                            description: The key of the secret to select from. Must
                              be a valid secret key.
                            type: string
                          name:
                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                              TODO: Add other useful fields. apiVersion, kind, uid?'
                            type: string
                  pkcs12:
                    description: PKCS12 configures options for storing a PKCS12 keystore
                      in the `spec.secretName` Secret resource.
                    type: object
                    required:
                    - create
                    - passwordSecretRef
                    properties:
                      create:
                        description: Create enables PKCS12 keystore creation for the
                          Certificate. If true, a file named `keystore.p12` will be
                          created in the target Secret resource, encrypted using the
                          password stored in `passwordSecretRef`. The keystore file
                          will only be updated upon re-issuance.
                        type: boolean
                      passwordSecretRef:
                        description: PasswordSecretRef is a reference to a key in
                          a Secret resource containing the password used to encrypt
                          the PKCS12 keystore.
                        type: object
                        required:
                        - name
                        properties:
                          key:
                            description: The key of the secret to select from. Must
                              be a valid secret key.
                            type: string
                          name:
                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                              TODO: Add other useful fields. apiVersion, kind, uid?'
                            type: string
              privateKey:
                description: Options to control private keys used for the Certificate.
                type: object
                properties:
                  rotationPolicy:
                    description: RotationPolicy controls how private keys should be
                      regenerated when a re-issuance is being processed. If set to
                      Never, a private key will only be generated if one does not
                      already exist in the target `spec.secretName`. If one does exists
                      but it does not have the correct algorithm or size, a warning
                      will be raised to await user intervention. If set to Always,
                      a private key matching the specified requirements will be generated
                      whenever a re-issuance occurs. Default is 'Never' for backward
                      compatibility.
                    type: string
              renewBefore:
                description: Certificate renew before expiration duration
                type: string
              secretName:
                description: SecretName is the name of the secret resource to store
                  this secret in
                type: string
              subject:
                description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
                type: object
                properties:
                  countries:
                    description: Countries to be used on the Certificate.
                    type: array
                    items:
                      type: string
                  localities:
                    description: Cities to be used on the Certificate.
                    type: array
                    items:
                      type: string
                  organizationalUnits:
                    description: Organizational Units to be used on the Certificate.
                    type: array
                    items:
                      type: string
                  organizations:
                    description: Organizations to be used on the Certificate.
                    type: array
                    items:
                      type: string
                  postalCodes:
                    description: Postal codes to be used on the Certificate.
                    type: array
                    items:
                      type: string
                  provinces:
                    description: State/Provinces to be used on the Certificate.
                    type: array
                    items:
                      type: string
                  serialNumber:
                    description: Serial number to be used on the Certificate.
                    type: string
                  streetAddresses:
                    description: Street addresses to be used on the Certificate.
                    type: array
                    items:
                      type: string
              uriSANs:
                description: URISANs is a list of URI Subject Alternative Names to
                  be set on this Certificate.
                type: array
                items:
                  type: string
              usages:
                description: Usages is the set of x509 actions that are enabled for
                  a given key. Defaults are ('digital signature', 'key encipherment')
                  if empty
                type: array
                items:
                  description: 'KeyUsage specifies valid usage contexts for keys.
                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
                    Valid KeyUsage values are as follows: "signing", "digital signature",
                    "content commitment", "key encipherment", "key agreement", "data
                    encipherment", "cert sign", "crl sign", "encipher only", "decipher
                    only", "any", "server auth", "client auth", "code signing", "email
                    protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
                    user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
                    sgc"'
                  type: string
                  enum:
                  - signing
                  - digital signature
                  - content commitment
                  - key encipherment
                  - key agreement
                  - data encipherment
                  - cert sign
                  - crl sign
                  - encipher only
                  - decipher only
                  - any
                  - server auth
                  - client auth
                  - code signing
                  - email protection
                  - s/mime
                  - ipsec end system
                  - ipsec tunnel
                  - ipsec user
                  - timestamping
                  - ocsp signing
                  - microsoft sgc
                  - netscape sgc
          status:
            description: CertificateStatus defines the observed state of Certificate
            type: object
            properties:
              conditions:
                type: array
                items:
                  description: CertificateCondition contains condition information
                    for an Certificate.
                  type: object
                  required:
                  - status
                  - type
                  properties:
                    lastTransitionTime:
                      description: LastTransitionTime is the timestamp corresponding
                        to the last status change of this condition.
                      type: string
                      format: date-time
                    message:
                      description: Message is a human readable description of the
                        details of the last transition, complementing reason.
                      type: string
                    reason:
                      description: Reason is a brief machine readable explanation
                        for the condition's last transition.
                      type: string
                    status:
                      description: Status of the condition, one of ('True', 'False',
                        'Unknown').
                      type: string
                      enum:
                      - "True"
                      - "False"
                      - Unknown
                    type:
                      description: Type of the condition, currently ('Ready').
                      type: string
              lastFailureTime:
                type: string
                format: date-time
              nextPrivateKeySecretName:
                description: The name of the Secret resource containing the private
                  key to be used for the next certificate iteration. The keymanager
                  controller will automatically set this field if the `Issuing` condition
                  is set to `True`. It will automatically unset this field when the
                  Issuing condition is not set or False.
                type: string
              notAfter:
                description: The expiration time of the certificate stored in the
                  secret named by this resource in spec.secretName.
                type: string
                format: date-time
              revision:
                description: "The current 'revision' of the certificate as issued.
                  \n When a CertificateRequest resource is created, it will have the
                  `cert-manager.io/certificate-revision` set to one greater than the
                  current value of this field. \n Upon issuance, this field will be
                  set to the value of the annotation on the CertificateRequest resource
                  used to issue the certificate. \n Persisting the value on the CertificateRequest
                  resource allows the certificates controller to know whether a request
                  is part of an old issuance or if it is part of the ongoing revision's
                  issuance by checking if the revision value in the annotation is
                  greater than this field."
                type: integer
  names:
    kind: Certificate
    plural: certificates
    shortNames:
      - cert
      - certs

